Very Informative and detailed explanation provided by you in your video. Actually, stuck in active-active configurations and this video help me out. Thank you so very much. 👍👍👍👍
To achieve Dual ISP redundancy when the two ISPs are connected to different Palo Alto Networks firewalls located over a WAN, you need to implement a design that allows for automatic failover and load balancing. Implement a dynamic routing protocol such as BGP or OSPF to exchange routing information between the two firewalls.
Thanks that was a great help. I really need to understand bgp mulithoming configuration better. Question, can you just obtain an asn and configure your side or does both of your isp’s need to configure there’s as well..? I have lower cost circuits and don’t think they will do any bgb configuring. If that’s the case is there a way to set one path as primary to the internet and have monitoring only push the traffic to the secondary if there is a failure of the primary?
I am happy that video help you!. In general, to configure BGP multihoming, both ISPs need to be involved and configure their side. You will need an ASN, a block of public IP addresses, and two internet connections from different ISPs. Afterwards, you will need to configure BGP on your routers and the ISPs' routers.
Thank you! Unfortunately, I don't have many videos in English, but you've given me an idea! I understand that multihoming can be a problem, especially if someone doesn't know BGP or has never configured this type of connection before. So, I could set up a small lab to demonstrate how it works. Sorry (I just woke up) I forgot to answer a part of your question, Regarding your question, . If that’s the case is there a way to set one path as primary to the internet and have monitoring only push the traffic to the secondary if there is a failure of the primary?) yes, there is a way to set one path as the primary path to the internet and have monitoring only push traffic to the secondary path if the primary path fails. This can be achieved using BGP AS Path Prepending, which is the fourth BGP attribute. By using AS Path Prepending, you can manipulate the BGP path selection process to prefer the primary link and only failover to the secondary link if the primary link fails. Have a good day :)
very useful! but i see that you use only one interface of the firewall, connected to a switch with the 2 isp connected in it...the configuration is similar also if i connect directly the 2 isp in 2 firewall interfaces? thanks!
Yes I can do it, tbh this video I created is VGP dual homed with cisco routers and Fortigate (subtitle in English) th-cam.com/video/DMB_WQGaBzI/w-d-xo.html but the same but the same principle can be applied to paloalto. if you need to see how it works directly on the Paloalto firewall I can make another video there are no problems do it
![Palo Alto SSL Forward Proxy (Outbound SSL Decryption) [2024]](http://i.ytimg.com/vi/UuKcjfQicNw/mqdefault.jpg)
Very Informative and detailed explanation provided by you in your video. Actually, stuck in active-active configurations and this video help me out. Thank you so very much. 👍👍👍👍
Great to hear!
Thanks for the video, do you know how to achieve this scenario: Dual ISP redundancy if both ISPs are on different firewalls separated over WAN ?
To achieve Dual ISP redundancy when the two ISPs are connected to different Palo Alto Networks firewalls located over a WAN, you need to implement a design that allows for automatic failover and load balancing.
Implement a dynamic routing protocol such as BGP or OSPF to exchange routing information between the two firewalls.
Thank u so much for detailed explaination and so informative ..
Anytime :)
Thanks that was a great help. I really need to understand bgp mulithoming configuration better. Question, can you just obtain an asn and configure your side or does both of your isp’s need to configure there’s as well..? I have lower cost circuits and don’t think they will do any bgb configuring. If that’s the case is there a way to set one path as primary to the internet and have monitoring only push the traffic to the secondary if there is a failure of the primary?
I am happy that video help you!.
In general, to configure BGP multihoming, both ISPs need to be involved and configure their side. You will need an ASN, a block of public IP addresses, and two internet connections from different ISPs. Afterwards, you will need to configure BGP on your routers and the ISPs' routers.
@@CrazyNet Thanks! Love your channel..👍
Thank you! Unfortunately, I don't have many videos in English, but you've given me an idea!
I understand that multihoming can be a problem, especially if someone doesn't know BGP or has never configured this type of connection before. So, I could set up a small lab to demonstrate how it works.
Sorry (I just woke up) I forgot to answer a part of your question,
Regarding your question, . If that’s the case is there a way to set one path as primary to the internet and have monitoring only push the traffic to the secondary if there is a failure of the primary?)
yes, there is a way to set one path as the primary path to the internet and have monitoring only push traffic to the secondary path if the primary path fails.
This can be achieved using BGP AS Path Prepending, which is the fourth BGP attribute.
By using AS Path Prepending, you can manipulate the BGP path selection process to prefer the primary link and only failover to the secondary link if the primary link fails.
Have a good day :)
very useful! but i see that you use only one interface of the firewall, connected to a switch with the 2 isp connected in it...the configuration is similar also if i connect directly the 2 isp in 2 firewall interfaces? thanks!
Thanks! Yes is the same :)
@@CrazyNet thanks for the reply!!!
Can you do it for dual isp over bgp ?
Yes I can do it, tbh this video I created is VGP dual homed with cisco routers and Fortigate (subtitle in English) th-cam.com/video/DMB_WQGaBzI/w-d-xo.html
but the same but the same principle can be applied to paloalto.
if you need to see how it works directly on the Paloalto firewall I can make another video there are no problems do it
thanks for the video, however if you have 2 dhcp wan link, this won't work
Hi Alex, thanks!. Do u mean dynamic IP from the Wan Link ?